<!DOCTYPE html>
<html lang="en-US">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"/>
    <link rel="profile" href="https://gmpg.org/xfn/11">
    <link rel="pingback" href="https://stairwell.com/xmlrpc.php">
    <title>
		ChamelGang and ChamelDoH: A DNS-over-HTTPS implant - Stairwell    </title>
	    <link rel="apple-touch-icon" sizes="57x57" href="https://stairwell.com/wp-content/themes/stairwell-web-2021/static/ui/favicon/apple-icon-57x57.png">
    <link rel="apple-touch-icon" sizes="60x60" href="https://stairwell.com/wp-content/themes/stairwell-web-2021/static/ui/favicon/apple-icon-60x60.png">
    <link rel="apple-touch-icon" sizes="72x72" href="https://stairwell.com/wp-content/themes/stairwell-web-2021/static/ui/favicon/apple-icon-72x72.png">
    <link rel="apple-touch-icon" sizes="76x76" href="https://stairwell.com/wp-content/themes/stairwell-web-2021/static/ui/favicon/apple-icon-76x76.png">
    <link rel="apple-touch-icon" sizes="114x114" href="https://stairwell.com/wp-content/themes/stairwell-web-2021/static/ui/favicon/apple-icon-114x114.png">
    <link rel="apple-touch-icon" sizes="120x120" href="https://stairwell.com/wp-content/themes/stairwell-web-2021/static/ui/favicon/apple-icon-120x120.png">
    <link rel="apple-touch-icon" sizes="144x144" href="https://stairwell.com/wp-content/themes/stairwell-web-2021/static/ui/favicon/apple-icon-144x144.png">
    <link rel="apple-touch-icon" sizes="152x152" href="https://stairwell.com/wp-content/themes/stairwell-web-2021/static/ui/favicon/apple-icon-152x152.png">
    <link rel="apple-touch-icon" sizes="180x180" href="https://stairwell.com/wp-content/themes/stairwell-web-2021/static/ui/favicon/apple-icon-180x180.png">
    <link rel="icon" type="image/png" sizes="192x192" href="https://stairwell.com/wp-content/themes/stairwell-web-2021/static/ui/favicon/android-icon-192x192.png">
    <link rel="icon" type="image/png" sizes="32x32" href="https://stairwell.com/wp-content/themes/stairwell-web-2021/static/ui/favicon/favicon-32x32.png">
    <link rel="icon" type="image/png" sizes="96x96" href="https://stairwell.com/wp-content/themes/stairwell-web-2021/static/ui/favicon/favicon-96x96.png">
    <link rel="icon" type="image/png" sizes="16x16" href="https://stairwell.com/wp-content/themes/stairwell-web-2021/static/ui/favicon/favicon-16x16.png">
    <link rel="manifest" href="https://stairwell.com/wp-content/themes/stairwell-web-2021/static/ui/favicon/manifest.json">
    <meta name="msapplication-TileColor" content="#ffffff">
    <meta name="msapplication-TileImage" content="https://stairwell.com/wp-content/themes/stairwell-web-2021/static/ui/favicon/ms-icon-144x144.png">
    <meta name="theme-color" content="#ffffff">

    <link rel="shortcut icon" href="https://stairwell.com/wp-content/themes/stairwell-web-2021/static/static/ui/favicon.ico" type="image/x-icon">
	<meta name='robots' content='index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1' />

	<!-- This site is optimized with the Yoast SEO plugin v20.9 - https://yoast.com/wordpress/plugins/seo/ -->
	<meta name="description" content="This report by Stairwell on ChamelDoH is the first in a series detailing the capabilities and detection of various tools used by ChamelGang." />
	<link rel="canonical" href="https://stairwell.com/news/chamelgang-and-chameldoh-a-dns-over-https-implant/" />
	<meta property="og:locale" content="en_US" />
	<meta property="og:type" content="article" />
	<meta property="og:title" content="ChamelGang and ChamelDoH: A DNS-over-HTTPS implant - Stairwell" />
	<meta property="og:description" content="This report by Stairwell on ChamelDoH is the first in a series detailing the capabilities and detection of various tools used by ChamelGang." />
	<meta property="og:url" content="https://stairwell.com/news/chamelgang-and-chameldoh-a-dns-over-https-implant/" />
	<meta property="og:site_name" content="Stairwell" />
	<meta property="article:modified_time" content="2023-06-13T15:53:33+00:00" />
	<meta property="og:image" content="https://stairwell.com/wp-content/uploads/2023/06/ChamelDoH.png" />
	<meta property="og:image:width" content="1200" />
	<meta property="og:image:height" content="628" />
	<meta property="og:image:type" content="image/png" />
	<meta name="twitter:card" content="summary_large_image" />
	<meta name="twitter:image" content="https://stairwell.com/wp-content/uploads/2023/06/ChamelDoH.png" />
	<meta name="twitter:label1" content="Est. reading time" />
	<meta name="twitter:data1" content="6 minutes" />
	<script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"WebPage","@id":"https://stairwell.com/news/chamelgang-and-chameldoh-a-dns-over-https-implant/","url":"https://stairwell.com/news/chamelgang-and-chameldoh-a-dns-over-https-implant/","name":"ChamelGang and ChamelDoH: A DNS-over-HTTPS implant - Stairwell","isPartOf":{"@id":"https://stairwell.com/#website"},"primaryImageOfPage":{"@id":"https://stairwell.com/news/chamelgang-and-chameldoh-a-dns-over-https-implant/#primaryimage"},"image":{"@id":"https://stairwell.com/news/chamelgang-and-chameldoh-a-dns-over-https-implant/#primaryimage"},"thumbnailUrl":"https://stairwell.com/wp-content/uploads/2023/06/ChamelGang-ChamelDoH-1-1024x708.png","datePublished":"2023-06-13T15:51:18+00:00","dateModified":"2023-06-13T15:53:33+00:00","description":"This report by Stairwell on ChamelDoH is the first in a series detailing the capabilities and detection of various tools used by ChamelGang.","breadcrumb":{"@id":"https://stairwell.com/news/chamelgang-and-chameldoh-a-dns-over-https-implant/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https://stairwell.com/news/chamelgang-and-chameldoh-a-dns-over-https-implant/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https://stairwell.com/news/chamelgang-and-chameldoh-a-dns-over-https-implant/#primaryimage","url":"https://stairwell.com/wp-content/uploads/2023/06/ChamelGang-ChamelDoH-1.png","contentUrl":"https://stairwell.com/wp-content/uploads/2023/06/ChamelGang-ChamelDoH-1.png","width":1593,"height":1102},{"@type":"BreadcrumbList","@id":"https://stairwell.com/news/chamelgang-and-chameldoh-a-dns-over-https-implant/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://stairwell.com/"},{"@type":"ListItem","position":2,"name":"News","item":"https://stairwell.com/news/"},{"@type":"ListItem","position":3,"name":"ChamelGang and ChamelDoH: A DNS-over-HTTPS implant"}]},{"@type":"WebSite","@id":"https://stairwell.com/#website","url":"https://stairwell.com/","name":"Stairwell","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https://stairwell.com/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}</script>
	<!-- / Yoast SEO plugin. -->


<link rel='dns-prefetch' href='//js.hs-scripts.com' />
<link rel='dns-prefetch' href='//www.googletagmanager.com' />
<link rel='stylesheet' id='stairwellWeb2021MainCSS-css' href='https://stairwell.com/wp-content/themes/stairwell-web-2021/static/dist/style.css?ver=1.48' type='text/css' media='' />
<style id='safe-svg-svg-icon-style-inline-css' type='text/css'>
.safe-svg-cover .safe-svg-inside{display:inline-block;max-width:100%}.safe-svg-cover svg{height:100%;max-height:100%;max-width:100%;width:100%}

</style>
<link rel='stylesheet' id='classic-theme-styles-css' href='https://stairwell.com/wp-includes/css/classic-themes.min.css?ver=6.2.2' type='text/css' media='all' />
<style id='global-styles-inline-css' type='text/css'>
body{--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--duotone--dark-grayscale: url('#wp-duotone-dark-grayscale');--wp--preset--duotone--grayscale: url('#wp-duotone-grayscale');--wp--preset--duotone--purple-yellow: url('#wp-duotone-purple-yellow');--wp--preset--duotone--blue-red: url('#wp-duotone-blue-red');--wp--preset--duotone--midnight: url('#wp-duotone-midnight');--wp--preset--duotone--magenta-yellow: url('#wp-duotone-magenta-yellow');--wp--preset--duotone--purple-green: url('#wp-duotone-purple-green');--wp--preset--duotone--blue-orange: url('#wp-duotone-blue-orange');--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);--wp--preset--shadow--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap: 0.5em;}body .is-layout-flow > .alignleft{float: left;margin-inline-start: 0;margin-inline-end: 2em;}body .is-layout-flow > .alignright{float: right;margin-inline-start: 2em;margin-inline-end: 0;}body .is-layout-flow > .aligncenter{margin-left: auto !important;margin-right: auto !important;}body .is-layout-constrained > .alignleft{float: left;margin-inline-start: 0;margin-inline-end: 2em;}body .is-layout-constrained > .alignright{float: right;margin-inline-start: 2em;margin-inline-end: 0;}body .is-layout-constrained > .aligncenter{margin-left: auto !important;margin-right: auto !important;}body .is-layout-constrained > :where(:not(.alignleft):not(.alignright):not(.alignfull)){max-width: var(--wp--style--global--content-size);margin-left: auto !important;margin-right: auto !important;}body .is-layout-constrained > .alignwide{max-width: var(--wp--style--global--wide-size);}body .is-layout-flex{display: flex;}body .is-layout-flex{flex-wrap: wrap;align-items: center;}body .is-layout-flex > *{margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;}
.wp-block-navigation a:where(:not(.wp-element-button)){color: inherit;}
:where(.wp-block-columns.is-layout-flex){gap: 2em;}
.wp-block-pullquote{font-size: 1.5em;line-height: 1.6;}
</style>
<link rel='stylesheet' id='contact-form-7-css' href='https://stairwell.com/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=5.7.7' type='text/css' media='all' />
<script type='text/javascript' src='https://stairwell.com/wp-includes/js/jquery/jquery.min.js?ver=3.6.4' id='jquery-core-js'></script>
<script type='text/javascript' src='https://stairwell.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.0' id='jquery-migrate-js'></script>

<!-- Google Analytics snippet added by Site Kit -->
<script type='text/javascript' src='https://www.googletagmanager.com/gtag/js?id=UA-180646454-1' id='google_gtagjs-js' async></script>
<script type='text/javascript' id='google_gtagjs-js-after'>
window.dataLayer = window.dataLayer || [];function gtag(){dataLayer.push(arguments);}
gtag('set', 'linker', {"domains":["stairwell.com"]} );
gtag("js", new Date());
gtag("set", "developer_id.dZTNiMT", true);
gtag("config", "UA-180646454-1", {"anonymize_ip":true});
gtag("config", "G-TW84GPPQZ8");
</script>

<!-- End Google Analytics snippet added by Site Kit -->
<link rel="https://api.w.org/" href="https://stairwell.com/wp-json/" /><link rel="alternate" type="application/json" href="https://stairwell.com/wp-json/wp/v2/news/2201" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://stairwell.com/xmlrpc.php?rsd" />
<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="https://stairwell.com/wp-includes/wlwmanifest.xml" />
<link rel='shortlink' href='https://stairwell.com/?p=2201' />
<meta name="generator" content="Site Kit by Google 1.96.0" />			<!-- DO NOT COPY THIS SNIPPET! Start of Page Analytics Tracking for HubSpot WordPress plugin v10.1.24-->
			<script type="text/javascript" class="hsq-set-content-id" data-content-id="blog-post">
				var _hsq = _hsq || [];
				_hsq.push(["setContentType", "blog-post"]);
			</script>
			<!-- DO NOT COPY THIS SNIPPET! End of Page Analytics Tracking for HubSpot WordPress plugin -->
			
<!-- Google AdSense snippet added by Site Kit -->
<meta name="google-adsense-platform-account" content="ca-host-pub-2644536267352236">
<meta name="google-adsense-platform-domain" content="sitekit.withgoogle.com">
<!-- End Google AdSense snippet added by Site Kit -->

<!-- Google Tag Manager snippet added by Site Kit -->
<script type="text/javascript">
			( function( w, d, s, l, i ) {
				w[l] = w[l] || [];
				w[l].push( {'gtm.start': new Date().getTime(), event: 'gtm.js'} );
				var f = d.getElementsByTagName( s )[0],
					j = d.createElement( s ), dl = l != 'dataLayer' ? '&l=' + l : '';
				j.async = true;
				j.src = 'https://www.googletagmanager.com/gtm.js?id=' + i + dl;
				f.parentNode.insertBefore( j, f );
			} )( window, document, 'script', 'dataLayer', 'GTM-NFTQ2KC' );
			
</script>

<!-- End Google Tag Manager snippet added by Site Kit -->
<link rel="icon" href="https://stairwell.com/wp-content/uploads/2021/09/cropped-stairwell_favicon_blue_32x32-32x32.png" sizes="32x32" />
<link rel="icon" href="https://stairwell.com/wp-content/uploads/2021/09/cropped-stairwell_favicon_blue_32x32-192x192.png" sizes="192x192" />
<link rel="apple-touch-icon" href="https://stairwell.com/wp-content/uploads/2021/09/cropped-stairwell_favicon_blue_32x32-180x180.png" />
<meta name="msapplication-TileImage" content="https://stairwell.com/wp-content/uploads/2021/09/cropped-stairwell_favicon_blue_32x32-270x270.png" />
		<style type="text/css" id="wp-custom-css">
			/* need this to wrap long strings on mobile */
p {
    overflow-wrap: anywhere;
}		</style>
		
	<!-- Begin ZoomInfo Code -->
    <script>
        (function () {
            var zi = document.createElement('script');
            zi.type = 'text/javascript';
            zi.async = true;
            zi.referrerPolicy = 'unsafe-url';
            zi.src = 'https://ws.zoominfo.com/pixel/61b934c611d2a8001c3b0968';
            var s = document.getElementsByTagName('script')[0];
            s.parentNode.insertBefore(zi, s);
        })();
    </script>
    <!-- End ZoomInfo Code –->

<!-- Start cookieyes banner --> 
<script id="cookieyes" type="text/javascript" src="https://cdn-cookieyes.com/client_data/29f72abe3236264929833427/script.js"></script>
<!-- End cookieyes banner -->

<!-- Start of HubSpot Embed Code -->
<script type="text/javascript" id="hs-script-loader" async defer src="//js.hs-scripts.com/8174064.js"></script>
<!-- End of HubSpot Embed Code -->

<style>
div#hs-eu-cookie-confirmation div#hs-eu-cookie-confirmation-inner {
    background: #fff !important;
    margin: 0 auto !important;
    max-width: 700px !important;
    padding: 20px !important;
}
</style></head>

<body class="news-template-default single single-news postid-2201">



<!-- NAVIGATION -->
<nav class="c-navigation__wrapper c-mobile-navigation__wrapper js-navigation-wrapper">
    <div class="o-container--fixed">
        <div class="c-navigation">
            <div class="c-navigation__inner">
                <div class="c-navigation__logo">
					                        <a href="https://stairwell.com">
                            <img src="https://stairwell.com/wp-content/uploads/2021/09/Stairwell-Logo-Blue.svg" alt="">
                        </a>
					                </div>
                <div class="u-b0 c-navigation__list">
					
<ul>
	<li class="c-navigation__item">
	        <span class="c-link-thin js-has-dropdown "
              tabindex="1">
                        Product                    </span>

        <ul class="c-navigation__dropdown js-dropdown">
			                <li>
                    <a href="https://stairwell.com/product/the-inception-platform" class="u-b0 js-dropdown-tab-link"
                       tabindex="2">
						Overview                    </a>
                </li>
			                <li>
                    <a href="https://stairwell.com/use-cases/" class="u-b0 js-dropdown-tab-link"
                       tabindex="3">
						Use cases                    </a>
                </li>
			                <li>
                    <a href="https://stairwell.com/product-inception-overview/data-sheet/" class="u-b0 js-dropdown-tab-link"
                       tabindex="4">
						Data sheet                    </a>
                </li>
			        </ul>
	</li>
<li class="c-navigation__item">
	        <span class="c-link-thin js-has-dropdown "
              tabindex="2">
                        Explore                    </span>

        <ul class="c-navigation__dropdown js-dropdown">
			                <li>
                    <a href="https://stairwell.com/explore/" class="u-b0 js-dropdown-tab-link"
                       tabindex="3">
						Research &amp; blogs                    </a>
                </li>
			                <li>
                    <a href="https://stairwell.com/resource-center/" class="u-b0 js-dropdown-tab-link"
                       tabindex="4">
						Resources                    </a>
                </li>
			        </ul>
	</li>
<li class="c-navigation__item">
	        <span class="c-link-thin js-has-dropdown "
              tabindex="3">
                        Company                    </span>

        <ul class="c-navigation__dropdown js-dropdown">
			                <li>
                    <a href="https://stairwell.com/company/" class="u-b0 js-dropdown-tab-link"
                       tabindex="4">
						About                    </a>
                </li>
			                <li>
                    <a href="https://stairwell.com/careers/" class="u-b0 js-dropdown-tab-link"
                       tabindex="5">
						Careers                    </a>
                </li>
			                <li>
                    <a href="https://stairwell.com/news/?news-cat=press-releases" class="u-b0 js-dropdown-tab-link"
                       tabindex="6">
						News                    </a>
                </li>
			        </ul>
	</li>
<li class="c-navigation__item c-navigation__item--button">
    <a href="https://tour.stairwell.com/" class="c-navigation__button c-navigation__button--border-green c-navigation__button--bg-none"
       tabindex="4">
  <span>
    Take a tour  </span>
    </a>
</li>
<li class="c-navigation__item c-navigation__item--button">
    <a href="https://stairwell.com/contact/" class="c-navigation__button c-navigation__button--border-green c-navigation__button--bg-green"
       tabindex="5">
  <span>
    Request a demo  </span>
    </a>
</li>
</ul>                </div>
            </div>
        </div>
		<!-- MOBILE NAVIGATION -->
<div class="c-mobile-navigation__inner">
    <div class="c-mobile-navigation__logo">
        <a href="https://stairwell.com">
			                <img class="is-dark" src="https://stairwell.com/wp-content/uploads/2021/09/Stairwell-Logo-Blue.svg" alt="">
			                <img class="is-light" src="https://stairwell.com/wp-content/uploads/2021/09/Stairwell-Logo-White.svg" alt="">
			        </a>
    </div>

    <div class="c-mobile-navigation__trigger js-mobile-navigation-trigger">
        <div class="c-mobile-navigation__trigger-icon-open">
			<svg width="29" height="31" viewBox="0 0 29 31" fill="none" xmlns="http://www.w3.org/2000/svg">
<path fill-rule="evenodd" clip-rule="evenodd" d="M14.5 1.94098L27 8.19098V22.809L14.5 29.059L2 22.809V8.19098L14.5 1.94098ZM3 9.37051V22.191L14 27.691V15.7872L3 9.37051ZM15 15.7872V27.691L26 22.191V9.37051L15 15.7872ZM25.4497 8.53384L14.5 3.05901L3.55034 8.53384L14.5 14.9211L25.4497 8.53384Z" fill="black"/>
<circle cx="14.5" cy="2.5" r="2.5" fill="#545454"/>
<circle cx="14.5" cy="15.5" r="2.5" fill="#545454"/>
<circle cx="2.5" cy="8.5" r="2.5" fill="#545454"/>
<circle cx="2.5" cy="22.5" r="2.5" fill="#545454"/>
<circle cx="26.5" cy="8.5" r="2.5" fill="#545454"/>
<circle cx="26.5" cy="22.5" r="2.5" fill="#545454"/>
<circle cx="14.5" cy="28.5" r="2.5" fill="#545454"/>
</svg>
        </div>
    </div>
</div>

    <div class="u-a3 c-mobile-navigation__list js-mobile-nav-list">
		
<ul>
	        <li>
			
			<span class="c-link-thin c-link-thin--light js-mobile-navigation-submenu-trigger ">
                Product
            </span>
            
            <button class="c-mobile-navigation__submenu-button js-mobile-navigation-submenu-trigger">
	<svg class="u-icon u-icon--caret-top-right" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
    <path fill-rule="evenodd" clip-rule="evenodd" d="M24 0.999998L0 1V8.9407e-08L24 -1.90735e-06V0.999998Z"/>
    <path fill-rule="evenodd" clip-rule="evenodd" d="M23 24V0H24V24H23Z"/>
</svg>
</button>

<ul class="c-mobile-navigation__submenu u-a1 js-mobile-navigation-submenu">
	        <li>
            <a href="https://stairwell.com/product/the-inception-platform">
				Overview            </a>
        </li>
	        <li>
            <a href="https://stairwell.com/use-cases/">
				Use cases            </a>
        </li>
	        <li>
            <a href="https://stairwell.com/product-inception-overview/data-sheet/">
				Data sheet            </a>
        </li>
	</ul>

		        </li>
	        <li>
			
			<span class="c-link-thin c-link-thin--light js-mobile-navigation-submenu-trigger ">
                Explore
            </span>
            
            <button class="c-mobile-navigation__submenu-button js-mobile-navigation-submenu-trigger">
	<svg class="u-icon u-icon--caret-top-right" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
    <path fill-rule="evenodd" clip-rule="evenodd" d="M24 0.999998L0 1V8.9407e-08L24 -1.90735e-06V0.999998Z"/>
    <path fill-rule="evenodd" clip-rule="evenodd" d="M23 24V0H24V24H23Z"/>
</svg>
</button>

<ul class="c-mobile-navigation__submenu u-a1 js-mobile-navigation-submenu">
	        <li>
            <a href="https://stairwell.com/explore/">
				Research &amp; blogs            </a>
        </li>
	        <li>
            <a href="https://stairwell.com/resource-center/">
				Resources            </a>
        </li>
	</ul>

		        </li>
	        <li>
			
			<span class="c-link-thin c-link-thin--light js-mobile-navigation-submenu-trigger ">
                Company
            </span>
            
            <button class="c-mobile-navigation__submenu-button js-mobile-navigation-submenu-trigger">
	<svg class="u-icon u-icon--caret-top-right" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
    <path fill-rule="evenodd" clip-rule="evenodd" d="M24 0.999998L0 1V8.9407e-08L24 -1.90735e-06V0.999998Z"/>
    <path fill-rule="evenodd" clip-rule="evenodd" d="M23 24V0H24V24H23Z"/>
</svg>
</button>

<ul class="c-mobile-navigation__submenu u-a1 js-mobile-navigation-submenu">
	        <li>
            <a href="https://stairwell.com/company/">
				About            </a>
        </li>
	        <li>
            <a href="https://stairwell.com/careers/">
				Careers            </a>
        </li>
	        <li>
            <a href="https://stairwell.com/news/?news-cat=press-releases">
				News            </a>
        </li>
	</ul>

		        </li>
	        <li>
			<a href="https://tour.stairwell.com/" class="c-navigation__button c-navigation__button--border-green c-navigation__button--bg-none">
  <span>
      Take a tour  </span>
</a>


        </li>
	        <li>
			<a href="https://stairwell.com/contact/" class="c-navigation__button c-navigation__button--border-green c-navigation__button--bg-green">
  <span>
      Request a demo  </span>
</a>


        </li>
	</ul>

        <div class="c-mobile-navigation__list-bg">
			                <img src="https://stairwell.com/wp-content/uploads/2021/09/contact.svg" alt="">
			        </div>
    </div>
<!-- //MOBILE NAVIGATION -->
</nav>
<!-- //NAVIGATION -->
<!-- PAGE WRAPPER -->
<div id="news-single" class="o-page o-page--news-single">
        <section
            class="c-product-detail-header  ">
        <div class="o-container--fixed">
            <div class="c-product-detail-header__inner">
                <div class="c-product-detail-header__content">
                    <p class="u-a3 c-product-detail-header__eyebrow">
						Threat research • June 13, 2023                    </p>
                    <h1 class="u-a5 c-product-detail-header__heading">
						ChamelGang and ChamelDoH: A DNS-over-HTTPS implant                    </h1>
                </div>
				                    <div class="c-product-detail-header__background">
                        <img src="https://stairwell.com/wp-content/uploads/2022/01/Circle-Background-Green-Animated.svg"
                             alt="" loading="lazy">
                    </div>
								            </div>
        </div>
    </section>
    <!-- PAGE CONTENT -->
    <div class="o-page__inner o-page__inner--news-single">
        <div class="o-container--fixed">
            <div class="u-rte">
              <div class="u-rte__sticky">
                  
<div class="u-rte__sticky-inner">
    <a href="https://twitter.com/intent/tweet?url=https://stairwell.com/news/chamelgang-and-chameldoh-a-dns-over-https-implant/"
       class="u-rte__sticky-icon" target="_blank">
		<svg class="u-icon u-icon--twitter" viewBox="0 0 14 12" xmlns="http://www.w3.org/2000/svg">
    <path d="M4.277 11.053C5.32157 11.0602 6.35715 10.8597 7.3236 10.4633C8.29004 10.0669 9.16808 9.48236 9.90672 8.74372C10.6454 8.00508 11.2299 7.12704 11.6263 6.1606C12.0227 5.19415 12.2232 4.15857 12.216 3.114C12.216 2.993 12.216 2.873 12.208 2.753C12.7541 2.35782 13.2255 1.86851 13.6 1.308C13.0916 1.53339 12.5523 1.68136 12 1.747C12.5822 1.39689 13.0172 0.847074 13.224 0.2C12.6762 0.524952 12.0769 0.753914 11.452 0.877001C11.1907 0.599314 10.8752 0.378205 10.525 0.227356C10.1747 0.0765063 9.79731 -0.000875224 9.416 -2.92041e-07C8.67595 -3.39543e-07 7.9662 0.293914 7.44282 0.817112C6.91943 1.34031 6.62527 2.04995 6.625 2.79C6.6245 3.00406 6.64866 3.21747 6.697 3.426C5.58777 3.37038 4.50263 3.08212 3.51203 2.57993C2.52143 2.07774 1.64751 1.37284 0.947 0.510999C0.699362 0.936006 0.568924 1.41911 0.569 1.911C0.568081 2.37082 0.680909 2.82374 0.897434 3.22939C1.11396 3.63505 1.42746 3.98085 1.81 4.236C1.36681 4.22251 0.933328 4.10282 0.546 3.887V3.923C0.546154 4.56711 0.769086 5.19134 1.17699 5.68983C1.58489 6.18832 2.15266 6.53038 2.784 6.658C2.5442 6.72387 2.29669 6.7575 2.048 6.758C1.87181 6.75798 1.69602 6.74124 1.523 6.708C1.70121 7.26254 2.04832 7.74749 2.51578 8.09498C2.98323 8.44248 3.54763 8.63514 4.13 8.646C3.14163 9.42045 1.92165 9.84026 0.666 9.838C0.443447 9.8384 0.221063 9.82571 0 9.8C1.27587 10.6195 2.76063 11.0545 4.277 11.053"></path>
</svg>
    </a>
    <a href="https://www.facebook.com/sharer/sharer.php?u=https://stairwell.com/news/chamelgang-and-chameldoh-a-dns-over-https-implant/" target="_blank"
       class="u-rte__sticky-icon">
		<svg class="u-icon u-icon--facebook" viewBox="0 0 9 16" xmlns="http://www.w3.org/2000/svg">
    <path d="M5.409 15.864V8.897H7.748L8.098 6.182H5.409V4.446C5.409 3.66 5.627 3.124 6.755 3.124H8.19V0.695999C7.49247 0.622083 6.79143 0.586363 6.09 0.588999C5.61418 0.554555 5.13658 0.624579 4.69067 0.794163C4.24476 0.963747 3.84133 1.22879 3.50864 1.57072C3.17595 1.91264 2.92206 2.32318 2.76476 2.77357C2.60745 3.22396 2.55054 3.7033 2.598 4.178V6.178H0.261002V8.893H2.606V15.86H5.406"></path>
</svg>
    </a>
    <a href="/cdn-cgi/l/email-protection#665912095b400409021f5b0e121216155c49491512070f1411030a0a4805090b490803111549050e070b030a010708014b0708024b050e070b030a02090e4b074b0208154b091003144b0e121216154b0f0b160a07081249" target="_blank" class="u-rte__sticky-icon">
		<svg class="u-icon u-icon--mail" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 14">
    <path d="M8.294 8.548 1.339 3.767v7.175h14.012v-7.1z" transform="translate(0 1.173)"></path>
    <path d="M15.349 3.842V2.483H1.339v1.276L8.3 8.546z"></path>
</svg>
    </a>
    <a href="https://www.linkedin.com/shareArticle?mini=true&url=https://stairwell.com/news/chamelgang-and-chameldoh-a-dns-over-https-implant/"
       target="_blank" class="u-rte__sticky-icon">
		<svg class="u-icon u-icon--linkedin" viewBox="0 0 15 15" xmlns="http://www.w3.org/2000/svg">
    <path d="M2.316 0.743999C2.74035 0.743999 3.14732 0.912571 3.44737 1.21263C3.74743 1.51269 3.916 1.91965 3.916 2.344C3.916 2.76835 3.74743 3.17531 3.44737 3.47537C3.14732 3.77543 2.74035 3.944 2.316 3.944C1.89166 3.944 1.48469 3.77543 1.18463 3.47537C0.884574 3.17531 0.716003 2.76835 0.716003 2.344C0.716003 1.91965 0.884574 1.51269 1.18463 1.21263C1.48469 0.912571 1.89166 0.743999 2.316 0.743999V0.743999ZM0.937003 14.012H3.694V5.149H0.937003V14.012Z"></path>
    <path d="M6 5.22201H8.64V6.43401H8.678C8.9421 5.98181 9.32399 5.60977 9.78294 5.35757C10.2419 5.10538 10.7607 4.98249 11.284 5.00201C14.073 5.00201 14.584 6.83701 14.584 9.22401V14.085H11.834V9.77501C11.834 8.74701 11.816 7.42501 10.403 7.42501C8.969 7.42501 8.751 8.54501 8.751 9.70201V14.086H6V5.22301"></path>
</svg>
    </a>
</div>
              </div>
                <div class="u-rte__content">
                    
<p>The Stairwell Threat Research team has recently identified various tools used in intrusions by ChamelGang, a sophisticated threat actor with a nexus to China. <a href="https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/#id5" target="_blank" rel="noreferrer noopener">ChamelGang has previously been observed</a> targeting energy, aviation, and government organizations in Russia, the United States, Japan, Turkey, Taiwan, Vietnam, India, Afghanistan, Lithuania, and Nepal.&nbsp;</p>



<p>The original report, published by <a href="https://www.ptsecurity.com/" target="_blank" rel="noreferrer noopener">Positive Technologies</a>, mainly focuses on the group’s Windows toolset. An overview of the tools recently identified by Stairwell’s Threat Research has revealed that this group has also devoted considerable time and effort to researching and developing an equally robust toolset for Linux intrusions. One such example is <em>ChamelDoH</em>, a C++ implant designed to communicate via DNS-over-HTTPS (DoH) tunneling.&nbsp;</p>



<p>This report is the first in a series detailing the capabilities and detection of various tools in ChamelGang’s intrusion arsenal.</p>



<h2 class="wp-block-heading">Technical overview</h2>



<p>The sample <code>34c19cedffe0ee86515331f93b130ede89f1773c3d3a2d0e9c7f7db8f6d9a0a7</code> is a large C++ binary designed for remote access to the system it is installed on and communicates with configured command-and-control (C2) infrastructure via DoH tunneling.</p>



<p>The sample utilizes a modified base64 alphabet to encode its communication as subdomains for a malicious, actor-controlled nameserver. The implant collects various portions of system information to profile the infected machine and is capable of basic remote access operations such as file upload, download, deletion, and execution.</p>



<h2 class="wp-block-heading">Information gathering</h2>



<p>Upon execution, the implant will utilize various system calls to generate a JSON object containing assorted pieces of reconnaissance data. The keys of the JSON and a description of each value have been included below.</p>



<figure class="wp-block-table"><table><thead><tr><th>Key</th><th>Value description</th></tr></thead><tbody><tr><td><code>host_name</code></td><td>System hostname</td></tr><tr><td><code>ip</code></td><td>Any IP address for an interface that is not 127.0.0.1</td></tr><tr><td><code>system_type</code></td><td><code>sysname</code> parsed from the system’s <code>utsname</code> <a href="https://pubs.opengroup.org/onlinepubs/009695399/basedefs/sys/utsname.h.html" target="_blank" rel="noreferrer noopener">struct</a>, i.e. <code>Linux</code></td></tr><tr><td><code>system_version</code></td><td><code>version</code> parsed from the system’s <code>utsname</code> struct,<br>i.e. <code>#43-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 18:21:28 UTC 2023</code></td></tr><tr><td><code>whoami</code></td><td>The user context that <em>ChamelDoH</em> is running under</td></tr><tr><td><code>process_pid</code></td><td>The process ID of the <em>ChamelDoH</em> process</td></tr><tr><td><code>bits</code></td><td>The bitness of the system, i.e. <code>x86_64</code></td></tr><tr><td><code>pwd</code></td><td>The working directory of the <em>ChamelDoH</em> process</td></tr><tr><td><code>id</code></td><td>A pseudo-randomly generated integer generated by <em>ChamelDoH</em> that is used as an implant ID</td></tr></tbody></table><figcaption class="wp-element-caption"><em>Table 1: Information gathered by ChamelDoH upon execution</em></figcaption></figure>



<h2 class="wp-block-heading">DNS-over-HTTPS tunneling</h2>



<p><em>ChamelDoH</em> is novel in its method of command-and-control (C2). The implant’s C2 configuration is a JSON object containing two keys. The keys of the JSON and a description of each value have been included below.</p>



<figure class="wp-block-table"><table><thead><tr><th>Key</th><th>Value description</th></tr></thead><tbody><tr><td><code>ns_record</code></td><td>An array of malicious nameservers that are used for C2</td></tr><tr><td><code>doh</code></td><td>An array of legitimate DoH cloud providers that can be abused for tunneling</td></tr></tbody></table><figcaption class="wp-element-caption"><em>Table 2: ChamelDoH configuration fields</em></figcaption></figure>



<p>The sample <code>34c19cedffe0ee86515331f93b130ede89f1773c3d3a2d0e9c7f7db8f6d9a0a7</code> contains the following configuration (which has been defanged):</p>



<pre class="wp-block-code"><code>{
     ns_record: &#91;
          "ns1.spezialsex&#91;.]com",
          "ns2.spezialsex&#91;.]com"
     ],
     doh: &#91;
          https:&#47;&#47;8.8.8.8/resolve?type=TXT&amp;name=,
          https://8.8.4.4/resolve?type=TXT&name=,
          https://1.1.1.1/dns-query?type=TXT&name=,
          https://cloudflare-dns.com/dns-query?type=TXT&name=,
          https://dns.google.com/resolve?type=TXT&name=
     ]
}</code></pre>



<p><em>Figure 2: ChamelDoH configuration JSON</em></p>



<p>This configuration is then used by the implant to craft DoH requests using the configured providers and malicious nameservers, encoding its C2 communications as subdomains of the malicious nameserver and issuing TXT requests for the generated domain containing the encoded C2 communications.&nbsp;</p>



<p>Due to these DoH providers being commonly utilized DNS servers for legitimate traffic, they cannot easily be blocked enterprise-wide. Additionally, HTTPS prevents inspection of these requests without man-in-the-middling the traffic, so defenders cannot easily identify what domain requests are being made over DoH and selectively detect or prevent anomalous traffic such as <em>ChamelDoH’</em>s encoded communications. The result of this tactic is akin to C2 via domain fronting, where traffic is sent to a legitimate service hosted on a CDN, but redirected to a C2 server via the request’s <code>Host</code> header &#8211; both detection and prevention are difficult. A diagram has been included below to better illustrate its communications.</p>



<figure class="wp-block-image size-large"><img decoding="async" loading="lazy" width="1024" height="708" src="https://stairwell.com/wp-content/uploads/2023/06/ChamelGang-ChamelDoH-1-1024x708.png" alt="Diagram on ChamelDoH communications" class="wp-image-2203" srcset="https://stairwell.com/wp-content/uploads/2023/06/ChamelGang-ChamelDoH-1-1024x708.png 1024w, https://stairwell.com/wp-content/uploads/2023/06/ChamelGang-ChamelDoH-1-300x208.png 300w, https://stairwell.com/wp-content/uploads/2023/06/ChamelGang-ChamelDoH-1-768x531.png 768w, https://stairwell.com/wp-content/uploads/2023/06/ChamelGang-ChamelDoH-1-1536x1063.png 1536w, https://stairwell.com/wp-content/uploads/2023/06/ChamelGang-ChamelDoH-1.png 1593w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>



<p><em>Figure 3: Example DNS-over-HTTPS tunneling diagram</em></p>



<p><em>ChamelDoH</em> encrypts its communication using AES128 and base64 encodes the result so that it can be prepended as a subdomain. Since the base64 alphabet contains some non-alphanumeric characters, <em>ChamelDoH</em> utilizes a modified base64 alphabet to ensure the encoded data can be transmitted via DNS. It substitutes these characters with multi-character strings that have been detailed in the following table:</p>



<figure class="wp-block-table"><table><thead><tr><th>Original character</th><th><strong><em>ChamelDoH</em> substitution</strong></th></tr></thead><tbody><tr><td><code>=</code></td><td><code>A3C3C3CA</code></td></tr><tr><td><code>+</code></td><td><code>A2B2B2BA</code></td></tr><tr><td><code>/</code></td><td><code>A1A1A1AA</code></td></tr></tbody></table><figcaption class="wp-element-caption"><em>Table 3: ChamelDoH base64 alphabet substitutions</em></figcaption></figure>



<p>Since the DNS requests are TXT requests, the malicious C2 server is able to respond with arbitrary data within the response, and thus utilizes the standard base64 alphabet for its responses.</p>



<h2 class="wp-block-heading">Capabilities</h2>



<p>The implant is capable of basic remote access operations such as file upload, download, deletion, and execution. A list of all implemented commands has been included below.</p>



<figure class="wp-block-table"><table><thead><tr><th>Command</th><th>Description</th></tr></thead><tbody><tr><td><code>run</code></td><td>Execute a file/shell command</td></tr><tr><td><code>sleep</code></td><td>Set number of seconds until next check-in</td></tr><tr><td><code>wget</code></td><td>Download a file from a URL</td></tr><tr><td><code>upload</code></td><td>Read and upload a file</td></tr><tr><td><code>download</code></td><td>Download and write a file</td></tr><tr><td><code>rm</code></td><td>Delete a file</td></tr><tr><td><code>cp</code></td><td>Copy a file to a new location</td></tr><tr><td><code>cd</code></td><td>Change the working directory</td></tr></tbody></table><figcaption class="wp-element-caption">Table 4: <em>ChamelDoH</em> commands</figcaption></figure>



<h2 class="wp-block-heading">Variant analysis</h2>



<p>Utilizing Stairwell’s next-generation variant discovery and analysis capabilities, the Stairwell Threat Research team identified a total of 10 samples of <em>ChamelDoH</em>. Notably, one sample is publicly available on third-party malware repositories:&nbsp;</p>



<p>The sample <code>92c9fd3f81da141460a8e9c65b544425f2553fa828636daeab8f3f4f23191c5b</code> was first uploaded to VirusTotal in December of 2022. As of June 2023, it is undetected on the platform by any vendor or community contributor, save for an informational rule indicating that the binary utilizes DoH for DNS resolution.</p>



<figure class="wp-block-image size-large"><img decoding="async" loading="lazy" width="1024" height="486" src="https://stairwell.com/wp-content/uploads/2023/06/ChamelGang-ChamelDoH-2-1024x486.png" alt="ChamelDoH sample from VirusTotal" class="wp-image-2204" srcset="https://stairwell.com/wp-content/uploads/2023/06/ChamelGang-ChamelDoH-2-1024x486.png 1024w, https://stairwell.com/wp-content/uploads/2023/06/ChamelGang-ChamelDoH-2-300x142.png 300w, https://stairwell.com/wp-content/uploads/2023/06/ChamelGang-ChamelDoH-2-768x364.png 768w, https://stairwell.com/wp-content/uploads/2023/06/ChamelGang-ChamelDoH-2.png 1134w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>



<p><em>Figure 4: A sample of ChamelDoH undetected on VirusTotal as of 06/07/2023</em></p>



<p>A complete list of samples and their configured C2 servers has been included below.</p>



<figure class="wp-block-table"><table><thead><tr><th>SHA256</th><th>C2 domains</th></tr></thead><tbody><tr><td><code>34c19cedffe0ee86515331f93b130ede89f1773c3d3a2d0e9c7f7db8f6d9a0a7</code></td><td><code>ns1.spezialsex[.]com<br>ns2.spezialsex[.]com</code></td></tr><tr><td><code>4fd1515bfb5cf7a928acfacabe9d6b5272c036def898d1de3de7659f174475e0</code></td><td><code>ns30.mayashopping[.]net<br>ns31.mayashopping[.]net</code></td></tr><tr><td><code>6a26367b905fb1a8534732746fa968e3282d065e13267d459770fe0ec9f101fe</code></td><td><code>ns2.marocfamily[.]com<br>ns1.marocfamily[.]com<br>ns1.marocfamilym[.]com<br>ns1.marocfamilyx[.]com</code></td></tr><tr><td><code>70e845163ee46100f93633e135a7ca4361a0d7bc21030bc200d45bb14756f007</code></td><td><code>ns30.mayashopping[.]net<br>ns31.mayashopping[.]net<br>ns2.marocfamily[.]com<br>ns1.marocfamily[.]com</code></td></tr><tr><td><code>92c9fd3f81da141460a8e9c65b544425f2553fa828636daeab8f3f4f23191c5b</code></td><td><code>ns1.spezialsex[.]com<br>ns2.spezialsex[.]com</code></td></tr><tr><td><code>a0bd3b9a008089903c8653d0fcbc16e502da08eb2e77211473d0dfdec2cce67c</code></td><td><code>ns30.mayashopping[.]net<br>ns31.mayashopping[.]net</code></td></tr><tr><td><code>b893445ae388af7a5c8b398edf98cfb7acd191fb7c2e12c7d3b2d82ee8611b1a</code></td><td><code>ns2.marocfamily[.]com<br>ns1.marocfamily[.]com</code></td></tr><tr><td><code>de2c8264c0378f651f607ef5d0b93aca5760d370d5fed562e784ce5404bbc1a9</code></td><td><code>ns2.marocfamily[.]com<br>ns1.marocfamily[.]com</code></td></tr><tr><td><code>e41a5e84d19f9e45972f497270133167669052ad6f11e7a16e832cf1de59da7d</code></td><td><code>ns2.marocfamily[.]com<br>ns1.marocfamily[.]com</code></td></tr><tr><td><code>fe68af66cd9bc02de1221765d793637d27856fcaa632fabb81e805d2a2862b72</code></td><td><code>ns30.mayashopping[.]net<br>ns31.mayashopping[.]net</code></td></tr></tbody></table><figcaption class="wp-element-caption">Table 5: <em>ChamelDoH</em> variants and C2 servers<br></figcaption></figure>



<h2 class="wp-block-heading">Attribution and further work</h2>



<p>Stairwell Threat Research assesses that this malware family is highly likely to be developed by the same group detailed in previous reporting under the moniker ChamelGang. This assessment carries high confidence due to the presence of other intrusion tools that are uniquely attributable to ChamelGang that were identified in association with the deployment of samples of ChamelDoS:</p>



<ul>
<li>A configuration file for FRP configured to communicate with <code>45[.]91[.]24[.]3</code>, which previously resolved to the domain <code>update.microsoft-support[.]net</code>. This domain and the subnet that the domain resolved to are both listed in Positive Technologies’ report on ChamelGang.&nbsp;</li>



<li>A sample of <em>LinuxPrivilegeElevator</em>, a small ELF binary that attempts to elevate to root privileges by calling <code>setuid(0)</code>, <code>setgid(0)</code>, <code>seteuid(0)</code>, and <code>setgid(0)</code> before executing a given command. This tool is also detailed in <a href="https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang/" target="_blank" rel="noreferrer noopener">Positive Technologies’ report</a>.</li>
</ul>



<p>Analysis of <em>ChamelDoH</em> and other previously unidentified tools utilized by ChamelGang is ongoing by the Stairwell Threat Research team. This report is the first in a series detailing the functionality of this actor’s toolset.</p>



<h2 class="wp-block-heading">YARA</h2>



<pre class="wp-block-code"><code>rule Stairwell_ChamelDoH_01
{
    meta:
        author = "Daniel Mayer (<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="b8dcd9d6d1ddd4f8cbccd9d1cacfddd4d496dbd7d5">[email&#160;protected]</a>)"
        copyright = "(c) 2023 Stairwell, Inc."
        description = "Unique strings from a sample of ChamelDoH"
        last_modified = "2023-06-07"
        version = "0.1"

    strings:
        $ = "001020304050607080910111213141516171819202122232425262728293031"
        $ = "resolve?type=TXT&amp;name="
        $ = "CONNECT_ONLY is required!"
        $ = "&#91;\"ns"
        $ = "touch -r"

    condition:
        4 of them
}</code></pre>



<h2 class="wp-block-heading">About Stairwell</h2>



<p>The Stairwell platform helps organizations automate the detection and response efforts related to the threat outlined in this report and equips them with the tools needed to proactively monitor for future attacks.</p>



<p>By collecting every executable file in an organization’s environment, the Stairwell platform enables security teams to stay a step ahead with AI-based detection and analysis of malware and unknown variants present within your environment.</p>



<p>Conduct a full threat assessment in minutes, automatically and continuously uncover malware and its variants, and instill confidence that you’re better protected now, in the past, and in the future.</p>



<p><a class="c-button c-cta__button-wrapper " href="https://assets.stairwell.com/hubfs/Marketing-Assets/ChamelGang-and-ChamelDoH---Stairwell-threat-research.pdf" target="”_blank”" rel="noopener">                     <span style="color: #002b41;"> Download the report                    </span>                             <i> <svg class="u-icon u-icon--arrow-right" viewBox="0 0 44 14" xmlns="http://www.w3.org/2000/svg" style="color: #002b41;">     <path d="M41.8478 6.36675L36.1884 0.707612L36.8955 0.000488281L43.7621 6.86672L36.8956 13.734L36.1884 13.0269L41.848 7.36675H0.000999451V6.36675H41.8478Z"> </svg>                             </i>                         </a></p>
                    
<div class="c-author">
	<i class="c-author__line"></i>
	<div class="c-author__header">
                    <div class="c-author__image">
                
<div
    class="u-image-wrapper u-image-wrapper--1-1  ">
    <div class="u-image-wrapper__inner">
        <picture>
            <source media="(min-width:1440px)" srcset="https://stairwell.com/wp-content/uploads/2022/09/Headshot-Daniel-Mayer-scaled-e1663097825123.jpg">
            <source media="(min-width:800px)" srcset="https://stairwell.com/wp-content/uploads/2022/09/Headshot-Daniel-Mayer-scaled-e1663097825123.jpg">
            <source media="(min-width:200px)" srcset="">
            <img src="https://stairwell.com/wp-content/uploads/2022/09/Headshot-Daniel-Mayer-scaled-e1663097825123.jpg" class=""
                 alt="">
        </picture>
    </div>
</div>
            </div>
        		<div class="c-author__header-content">
			<p class="c-author__name u-a2">Daniel Mayer</p>
			<p class="c-author__position c-author__position--bold u-b0">THREAT RESEARCHER</p>
			<p class="c-author__position u-b0"></p>
		</div>
	</div>
	<p class="c-author__description">Daniel has over 5 years of experience responding to targeted threats and eCrime intrusions as both an incident responder and a reverse engineer. He can be reached at <a href="/cdn-cgi/l/email-protection#7317121d1a161f330007121a0104161f1f5d101c1e" target="_blank"><span class="__cf_email__" data-cfemail="cda9aca3a4a8a18dbeb9aca4bfbaa8a1a1e3aea2a0">[email&#160;protected]</span></a> or <a href="https://twitter.com/@dan__mayer" target="_blank">@dan__mayer</a> on Twitter.</p>
</div>
                </div>
            </div>
        </div>
      <div class="o-container">
            <section class="c-related-news">
    <div class="o-container--fixed">
      <div class="c-related-news__inner">
        <h3 class="u-a3 c-related-news__heading">
            Related Articles        </h3>

        <div class="c-related-news__cards swiper-container js-related-news-swiper">
          <div class="c-related-news__cards-wrapper swiper-wrapper">
              
<article class="c-news-feed__card swiper-slide">
    <a href="https://stairwell.com/news/security-alert-enrichment-terminator-endpoint-defense-evasion-tool/" class="c-news-feed__card-inner" >
        <div class="c-news-feed__card-top">
			                <div class="c-news-feed__card-image">
					
<div
        class="u-image-wrapper u-image-wrapper--blog-thumb  js-image-wrapper">
    <div class="u-image-wrapper__inner">
        <picture>
            <source media="(min-width:1440px)" data-srcset="https://stairwell.com/wp-content/uploads/bf-advanced-images/2195/Terminator-endpoint-defense-evasion-tool-2880x0.png">
            <source media="(min-width:800px)" data-srcset="https://stairwell.com/wp-content/uploads/bf-advanced-images/2195/Terminator-endpoint-defense-evasion-tool-1440x0.png">
            <source media="(min-width:200px)" data-srcset="https://stairwell.com/wp-content/uploads/bf-advanced-images/2195/Terminator-endpoint-defense-evasion-tool-600x0.png">
            <img data-src="https://stairwell.com/wp-content/uploads/bf-advanced-images/2195/Terminator-endpoint-defense-evasion-tool-2880x0.png" class="js-lazy"
                 alt="">
        </picture>
    </div>
</div>
                </div>
            
            <p class="c-news-feed__card-meta">
				Featured            </p>

            <h3 class="u-a1 c-news-feed__card-heading">
				Security alert enrichment: Terminator endpoint defense evasion tool            </h3>

            <div class="c-news-feed__card-line"></div>

            <p class="u-b1 c-news-feed__card-summary">
				            </p>

        </div>

        <div class="c-news-feed__card-icon">
			<svg class="u-icon u-icon--angle-arrow" viewBox="0 0 60 60" xmlns="http://www.w3.org/2000/svg">
    <path d="M2.18201 3.56311V59.56H0.182007V0.0360031H59.706V2.036H3.41712L60 58.6189L58.6189 60L2.18201 3.56311Z"></path>
</svg>
        </div>
    </a>
</article>

<article class="c-news-feed__card swiper-slide">
    <a href="https://stairwell.com/news/jasper-the-unfriendly-loader/" class="c-news-feed__card-inner" >
        <div class="c-news-feed__card-top">
			                <div class="c-news-feed__card-image">
					
<div
        class="u-image-wrapper u-image-wrapper--blog-thumb  js-image-wrapper">
    <div class="u-image-wrapper__inner">
        <picture>
            <source media="(min-width:1440px)" data-srcset="https://stairwell.com/wp-content/uploads/bf-advanced-images/2187/Jasper-the-unfriendly-loader-2880x0.png">
            <source media="(min-width:800px)" data-srcset="https://stairwell.com/wp-content/uploads/bf-advanced-images/2187/Jasper-the-unfriendly-loader-1440x0.png">
            <source media="(min-width:200px)" data-srcset="https://stairwell.com/wp-content/uploads/bf-advanced-images/2187/Jasper-the-unfriendly-loader-600x0.png">
            <img data-src="https://stairwell.com/wp-content/uploads/bf-advanced-images/2187/Jasper-the-unfriendly-loader-2880x0.png" class="js-lazy"
                 alt="">
        </picture>
    </div>
</div>
                </div>
            
            <p class="c-news-feed__card-meta">
				Featured            </p>

            <h3 class="u-a1 c-news-feed__card-heading">
				Jasper the unfriendly loader            </h3>

            <div class="c-news-feed__card-line"></div>

            <p class="u-b1 c-news-feed__card-summary">
				            </p>

        </div>

        <div class="c-news-feed__card-icon">
			<svg class="u-icon u-icon--angle-arrow" viewBox="0 0 60 60" xmlns="http://www.w3.org/2000/svg">
    <path d="M2.18201 3.56311V59.56H0.182007V0.0360031H59.706V2.036H3.41712L60 58.6189L58.6189 60L2.18201 3.56311Z"></path>
</svg>
        </div>
    </a>
</article>

<article class="c-news-feed__card swiper-slide">
    <a href="https://stairwell.com/news/threat-research-report-exmatter-future-of-data-extortion/" class="c-news-feed__card-inner" >
        <div class="c-news-feed__card-top">
			                <div class="c-news-feed__card-image">
					
<div
        class="u-image-wrapper u-image-wrapper--blog-thumb  js-image-wrapper">
    <div class="u-image-wrapper__inner">
        <picture>
            <source media="(min-width:1440px)" data-srcset="https://stairwell.com/wp-content/uploads/bf-advanced-images/1613/Threat-Report-Exmatter-News-Image-2880x0.png">
            <source media="(min-width:800px)" data-srcset="https://stairwell.com/wp-content/uploads/bf-advanced-images/1613/Threat-Report-Exmatter-News-Image-1440x0.png">
            <source media="(min-width:200px)" data-srcset="https://stairwell.com/wp-content/uploads/bf-advanced-images/1613/Threat-Report-Exmatter-News-Image-600x0.png">
            <img data-src="https://stairwell.com/wp-content/uploads/bf-advanced-images/1613/Threat-Report-Exmatter-News-Image-2880x0.png" class="js-lazy"
                 alt="">
        </picture>
    </div>
</div>
                </div>
            
            <p class="c-news-feed__card-meta">
				Featured            </p>

            <h3 class="u-a1 c-news-feed__card-heading">
				Exmatter: Clues to the future of data extortion            </h3>

            <div class="c-news-feed__card-line"></div>

            <p class="u-b1 c-news-feed__card-summary">
				            </p>

        </div>

        <div class="c-news-feed__card-icon">
			<svg class="u-icon u-icon--angle-arrow" viewBox="0 0 60 60" xmlns="http://www.w3.org/2000/svg">
    <path d="M2.18201 3.56311V59.56H0.182007V0.0360031H59.706V2.036H3.41712L60 58.6189L58.6189 60L2.18201 3.56311Z"></path>
</svg>
        </div>
    </a>
</article>

<article class="c-news-feed__card swiper-slide">
    <a href="https://stairwell.com/news/hunting-with-weak-signals/" class="c-news-feed__card-inner" >
        <div class="c-news-feed__card-top">
			                <div class="c-news-feed__card-image">
					
<div
        class="u-image-wrapper u-image-wrapper--blog-thumb  js-image-wrapper">
    <div class="u-image-wrapper__inner">
        <picture>
            <source media="(min-width:1440px)" data-srcset="https://stairwell.com/wp-content/uploads/2022/01/News-Feature-Threat-Research.svg">
            <source media="(min-width:800px)" data-srcset="https://stairwell.com/wp-content/uploads/2022/01/News-Feature-Threat-Research.svg">
            <source media="(min-width:200px)" data-srcset="https://stairwell.com/wp-content/uploads/2022/01/News-Feature-Threat-Research.svg">
            <img data-src="https://stairwell.com/wp-content/uploads/2022/01/News-Feature-Threat-Research.svg" class="js-lazy"
                 alt="">
        </picture>
    </div>
</div>
                </div>
            
            <p class="c-news-feed__card-meta">
				Threat Research            </p>

            <h3 class="u-a1 c-news-feed__card-heading">
				Hunting with weak signals            </h3>

            <div class="c-news-feed__card-line"></div>

            <p class="u-b1 c-news-feed__card-summary">
				            </p>

        </div>

        <div class="c-news-feed__card-icon">
			<svg class="u-icon u-icon--angle-arrow" viewBox="0 0 60 60" xmlns="http://www.w3.org/2000/svg">
    <path d="M2.18201 3.56311V59.56H0.182007V0.0360031H59.706V2.036H3.41712L60 58.6189L58.6189 60L2.18201 3.56311Z"></path>
</svg>
        </div>
    </a>
</article>
          </div>
        </div>
      </div>
    </div>
  </section>
      </div>
    </div>
    <!-- //PAGE CONTENT -->
</div>
<!-- //PAGE WRAPPER -->
<footer class="c-footer js-line-controller">
	    <div class="c-footer__marquee js-line-controller-button">
        <div class="c-footer__marquee-mover">
            <p>
				Take the next step.            </p>
        </div>
        <div class="c-footer__marquee-mover">
            <p>
				Take the next step.            </p>
        </div>

        <a href="https://stairwell.com/contact/"            class="c-button c-button--footer c-cta__button-wrapper js-line-controller-button">
            <span>
                Try Stairwell            </span>

            <i>
				<svg class="u-icon u-icon--arrow-right" viewBox="0 0 44 14" xmlns="http://www.w3.org/2000/svg">
    <path d="M41.8478 6.36675L36.1884 0.707612L36.8955 0.000488281L43.7621 6.86672L36.8956 13.734L36.1884 13.0269L41.848 7.36675H0.000999451V6.36675H41.8478Z"></path>
</svg>
            </i>
        </a>
    </div>

    <div class="c-footer__top">
        <div class="o-container--fixed">
            <div class="c-footer__inner">
				                    <div class="c-footer__logo">
                        <a href="https://stairwell.com">
                            <img src="https://stairwell.com/wp-content/uploads/2021/09/Stairwell-Logo-Blue.svg" alt="">
                        </a>
                    </div>
				
				    <div class="c-footer__contactcta">
        <h1 class="u-a5 c-footer__contactcta-heading">
			Take the next step.        </h1>

        <a href="https://stairwell.com/contact/"  class="u-uppercase u-b1--bold c-footer__contactcta-btn">
			Try Stairwell        </a>
    </div>

                <div class="c-footer__socials">
                    <p class="u-b3">
						Stay connected                    </p>


					                        <ul>
							
			<li>
                <a href="https://twitter.com/insidestairwell">
					<svg class="u-icon u-icon--twitter" viewBox="0 0 14 12" xmlns="http://www.w3.org/2000/svg">
    <path d="M4.277 11.053C5.32157 11.0602 6.35715 10.8597 7.3236 10.4633C8.29004 10.0669 9.16808 9.48236 9.90672 8.74372C10.6454 8.00508 11.2299 7.12704 11.6263 6.1606C12.0227 5.19415 12.2232 4.15857 12.216 3.114C12.216 2.993 12.216 2.873 12.208 2.753C12.7541 2.35782 13.2255 1.86851 13.6 1.308C13.0916 1.53339 12.5523 1.68136 12 1.747C12.5822 1.39689 13.0172 0.847074 13.224 0.2C12.6762 0.524952 12.0769 0.753914 11.452 0.877001C11.1907 0.599314 10.8752 0.378205 10.525 0.227356C10.1747 0.0765063 9.79731 -0.000875224 9.416 -2.92041e-07C8.67595 -3.39543e-07 7.9662 0.293914 7.44282 0.817112C6.91943 1.34031 6.62527 2.04995 6.625 2.79C6.6245 3.00406 6.64866 3.21747 6.697 3.426C5.58777 3.37038 4.50263 3.08212 3.51203 2.57993C2.52143 2.07774 1.64751 1.37284 0.947 0.510999C0.699362 0.936006 0.568924 1.41911 0.569 1.911C0.568081 2.37082 0.680909 2.82374 0.897434 3.22939C1.11396 3.63505 1.42746 3.98085 1.81 4.236C1.36681 4.22251 0.933328 4.10282 0.546 3.887V3.923C0.546154 4.56711 0.769086 5.19134 1.17699 5.68983C1.58489 6.18832 2.15266 6.53038 2.784 6.658C2.5442 6.72387 2.29669 6.7575 2.048 6.758C1.87181 6.75798 1.69602 6.74124 1.523 6.708C1.70121 7.26254 2.04832 7.74749 2.51578 8.09498C2.98323 8.44248 3.54763 8.63514 4.13 8.646C3.14163 9.42045 1.92165 9.84026 0.666 9.838C0.443447 9.8384 0.221063 9.82571 0 9.8C1.27587 10.6195 2.76063 11.0545 4.277 11.053"></path>
</svg>

                </a>
            </li>
		
			<li>
                <a href="https://www.facebook.com/InsideStairwell/">
					<svg class="u-icon u-icon--facebook" viewBox="0 0 9 16" xmlns="http://www.w3.org/2000/svg">
    <path d="M5.409 15.864V8.897H7.748L8.098 6.182H5.409V4.446C5.409 3.66 5.627 3.124 6.755 3.124H8.19V0.695999C7.49247 0.622083 6.79143 0.586363 6.09 0.588999C5.61418 0.554555 5.13658 0.624579 4.69067 0.794163C4.24476 0.963747 3.84133 1.22879 3.50864 1.57072C3.17595 1.91264 2.92206 2.32318 2.76476 2.77357C2.60745 3.22396 2.55054 3.7033 2.598 4.178V6.178H0.261002V8.893H2.606V15.86H5.406"></path>
</svg>

                </a>
            </li>
		
			<li>
                <a href="https://www.linkedin.com/company/stairwell-inc/">
					<svg class="u-icon u-icon--linkedin" viewBox="0 0 15 15" xmlns="http://www.w3.org/2000/svg">
    <path d="M2.316 0.743999C2.74035 0.743999 3.14732 0.912571 3.44737 1.21263C3.74743 1.51269 3.916 1.91965 3.916 2.344C3.916 2.76835 3.74743 3.17531 3.44737 3.47537C3.14732 3.77543 2.74035 3.944 2.316 3.944C1.89166 3.944 1.48469 3.77543 1.18463 3.47537C0.884574 3.17531 0.716003 2.76835 0.716003 2.344C0.716003 1.91965 0.884574 1.51269 1.18463 1.21263C1.48469 0.912571 1.89166 0.743999 2.316 0.743999V0.743999ZM0.937003 14.012H3.694V5.149H0.937003V14.012Z"></path>
    <path d="M6 5.22201H8.64V6.43401H8.678C8.9421 5.98181 9.32399 5.60977 9.78294 5.35757C10.2419 5.10538 10.7607 4.98249 11.284 5.00201C14.073 5.00201 14.584 6.83701 14.584 9.22401V14.085H11.834V9.77501C11.834 8.74701 11.816 7.42501 10.403 7.42501C8.969 7.42501 8.751 8.54501 8.751 9.70201V14.086H6V5.22301"></path>
</svg>

                </a>
            </li>
		
			<li>
                <a href="https://stairwell.com/feed/atom/">
					<svg width="25" height="24" viewBox="0 0 25 24" fill="none" xmlns="http://www.w3.org/2000/svg">
<path d="M5.09034 16.0674C4.53157 16.0694 3.98593 16.2369 3.52225 16.5487C3.05858 16.8606 2.69765 17.3027 2.48502 17.8195C2.27238 18.3362 2.21756 18.9043 2.32748 19.4522C2.4374 20.0001 2.70713 20.5031 3.10263 20.8978C3.49814 21.2925 4.00169 21.5612 4.54977 21.6701C5.09784 21.7789 5.66587 21.723 6.18218 21.5093C6.69849 21.2956 7.13994 20.9338 7.45085 20.4696C7.76175 20.0053 7.92816 19.4593 7.92909 18.9005C7.92674 18.1489 7.62672 17.4288 7.0947 16.8978C6.56268 16.3668 5.84199 16.0682 5.09034 16.0674Z" fill="#012B41"/>
<path d="M2.25171 8.75V12.807C4.68921 12.807 7.03015 13.5284 8.75187 15.2497C10.4736 16.9709 11.1894 19.3072 11.1894 21.7499H15.2516C15.2516 14.6455 9.36124 8.75 2.25171 8.75V8.75Z" fill="#012B41"/>
<path d="M2.25171 2.25V6.3075C10.9353 6.3075 17.6839 13.0612 17.6839 21.75H21.7517C21.7517 10.9997 13.0175 2.25 2.25171 2.25Z" fill="#012B41"/>
</svg>

                </a>
            </li>
		                        </ul>
					                </div>

				                    <div class="c-footer__newsletter">
                        <p class="u-b3 c-footer__newsletter-heading">
							                        </p>
                        <div class="c-footer__newsletter-slot">
							
<div class="wpcf7 no-js" id="wpcf7-f1460-o1" lang="en-US" dir="ltr">
<div class="screen-reader-response"><p role="status" aria-live="polite" aria-atomic="true"></p> <ul></ul></div>
<form action="/news/chamelgang-and-chameldoh-a-dns-over-https-implant/#wpcf7-f1460-o1" method="post" class="wpcf7-form init newsletter-form" aria-label="Contact form" novalidate="novalidate" data-status="init">
<div style="display: none;">
<input type="hidden" name="_wpcf7" value="1460" />
<input type="hidden" name="_wpcf7_version" value="5.7.7" />
<input type="hidden" name="_wpcf7_locale" value="en_US" />
<input type="hidden" name="_wpcf7_unit_tag" value="wpcf7-f1460-o1" />
<input type="hidden" name="_wpcf7_container_post" value="0" />
<input type="hidden" name="_wpcf7_posted_data_hash" value="" />
</div>
<div class="wpcf7-response-output" aria-hidden="true"></div>
</form>
</div>
                        </div>
                    </div>
				            </div>
        </div>
    </div>

    <div class="c-footer__bottom">
        <div class="o-container--fixed">
            <div class="c-footer__inner">
                <div class="c-footer__rights">
                    <p class="u-b2 u-b2--thin">
						<p>© 2023 Stairwell, Inc. All rights reserved.</p>
<p><button class="cky-banner-element" style="background-color: #fff; border: 1px solid #FA6219; border-radius: 3px; padding: 10px 16px; margin: 15px 0px 0px 0px; text-decoration: none; color: #000; font-family: inherit; font-size: inherit; font-weight: normal; line-height: inherit; text-align: left; text-shadow: none;">Cookie Preferences</button></p>
                    </p>
                </div>

                <div class="c-footer__nav">
					                        <ul class="u-b2 u-b2--thin">
							                                <li>
                                    <a href="https://stairwell.com/privacy-policy/" class="c-link-thin">
										Privacy Policy                                    </a>
                                </li>
							                                <li>
                                    <a href="https://stairwell.com/website-terms-and-conditions/" class="c-link-thin">
										Terms                                    </a>
                                </li>
							                                <li>
                                    <a href="https://stairwell.com/security-statement/" class="c-link-thin">
										Security                                    </a>
                                </li>
							                        </ul>
					                </div>
            </div>
        </div>
    </div>
</footer>

<!-- Begin ZoomInfo Footer -->
<noscript>
    <img src="https://ws.zoominfo.com/pixel/61b934c611d2a8001c3b0968" width="1" height="1" style="display: none;" />
</noscript>
<!-- End ZoomInfo Footer -->

<!-- Begin LinkedIn Footer -->
<script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script><script type="text/javascript">
_linkedin_partner_id = "4077292";
window._linkedin_data_partner_ids = window._linkedin_data_partner_ids || [];
window._linkedin_data_partner_ids.push(_linkedin_partner_id);
</script><script type="text/javascript">
(function(l) {
if (!l){window.lintrk = function(a,b){window.lintrk.q.push([a,b])};
window.lintrk.q=[]}
var s = document.getElementsByTagName("script")[0];
var b = document.createElement("script");
b.type = "text/javascript";b.async = true;
b.src = "https://snap.licdn.com/li.lms-analytics/insight.min.js";
s.parentNode.insertBefore(b, s);})(window.lintrk);
</script>
<noscript>
<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=4077292&fmt=gif" />
</noscript>
<!-- End LinkedIn Footer -->		<!-- Google Tag Manager (noscript) snippet added by Site Kit -->
		<noscript>
			<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-NFTQ2KC" height="0" width="0" style="display:none;visibility:hidden"></iframe>
		</noscript>
		<!-- End Google Tag Manager (noscript) snippet added by Site Kit -->
		<script type='text/javascript' id='stairwellWeb2021Vendor-js-extra'>
/* <![CDATA[ */
var frontend_rest_object = {"rest_url":"https:\/\/stairwell.com\/wp-json\/api\/v1","post_type_filter":"post-type-filter"};
/* ]]> */
</script>
<script type='text/javascript' src='https://stairwell.com/wp-content/themes/stairwell-web-2021/static/dist/vendor.js?ver=1.48' id='stairwellWeb2021Vendor-js'></script>
<script type='text/javascript' src='https://stairwell.com/wp-content/themes/stairwell-web-2021/static/dist/bundle.js?ver=1.48' id='stairwellWeb2021Bundle-js'></script>
<script type='text/javascript' src='https://stairwell.com/wp-content/plugins/contact-form-7/includes/swv/js/index.js?ver=5.7.7' id='swv-js'></script>
<script type='text/javascript' id='contact-form-7-js-extra'>
/* <![CDATA[ */
var wpcf7 = {"api":{"root":"https:\/\/stairwell.com\/wp-json\/","namespace":"contact-form-7\/v1"},"cached":"1"};
/* ]]> */
</script>
<script type='text/javascript' src='https://stairwell.com/wp-content/plugins/contact-form-7/includes/js/index.js?ver=5.7.7' id='contact-form-7-js'></script>
<script type='text/javascript' id='leadin-script-loader-js-js-extra'>
/* <![CDATA[ */
var leadin_wordpress = {"userRole":"visitor","pageType":"post","leadinPluginVersion":"10.1.24"};
/* ]]> */
</script>
<script type='text/javascript' src='https://js.hs-scripts.com/8174064.js?integration=WordPress&#038;ver=10.1.24' async defer id='hs-script-loader'></script>

</body>
</html>
